rfc2437.txt

中、英文RFC文档大全打包下载完全版 .

   long", or "modulus too short"

   Steps:

   1. If the length of the signature S is not k octets, output "invalid
   signature" and stop.

   2. Convert the signature S to an integer signature representative s:

   s = OS2IP (S)

   3. Apply the RSAVP1 verification primitive (Section 5.2.2) to the
   public key (n, e) and the signature representative s to produce an
   integer message representative m:

   m = RSAVP1 ((n, e), s)                  If RSAVP1 outputs "invalid"
   then output "invalid signature" and stop.

   4. Convert the message representative m to an encoded message EM of
   length k-1 octets: EM = I2OSP (m, k-1)

   If I2OSP outputs "integer too large," then output "invalid signature"
   and stop.

   5. Apply the EMSA-PKCS1-v1_5 encoding operation (Section 9.2.1) to
   the message M to produce a second encoded message EM' of length k-1
   octets:

   EM' = EMSA-PKCS1-V1_5-ENCODE (M, k-1)

   If the encoding operation outputs "message too long," then output
   "message too long" and stop. If the encoding operation outputs
   "intended encoded message length too short" then output "modulus too
   short".






Kaliski & Staddon            Informational                     [Page 21]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   6. Compare the encoded message EM and the second encoded message EM'.
   If they are the same, output "valid signature"; otherwise, output
   "invalid signature."

9. Encoding methods

   Encoding methods consist of operations that map between octet string
   messages and integer message representatives.

   Two types of encoding method are considered in this document:
   encoding methods for encryption, encoding methods for signatures with
   appendix.

9.1 Encoding methods for encryption

   An encoding method for encryption consists of an encoding operation
   and a decoding operation. An encoding operation maps a message M to a
   message representative EM of a specified length; the decoding
   operation maps a message representative EM back to a message. The
   encoding and decoding operations are inverses.

   The message representative EM will typically have some structure that
   can be verified by the decoding operation; the decoding operation
   will output "decoding error" if the structure is not present. The
   encoding operation may also introduce some randomness, so that
   different applications of the encoding operation to the same message
   will produce different representatives.

   Two encoding methods for encryption are employed in the encryption
   schemes and are specified here: EME-OAEP and EME-PKCS1-v1_5.

9.1.1 EME-OAEP

   This encoding method is parameterized by the choice of hash function
   and mask generation function. Suggested hash and mask generation
   functions are given in Section 10. This encoding method is based on
   the method found in [2].

9.1.1.1 Encoding operation

   EME-OAEP-ENCODE (M, P, emLen)

   Options:
   Hash      hash function (hLen denotes the length in octet of the
             hash function output)
   MGF       mask generation function





Kaliski & Staddon            Informational                     [Page 22]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   Input:
   M         message to be encoded, an octet string of length at most
             emLen-1-2hLen
   P         encoding parameters, an octet string
   emLen     intended length in octets of the encoded message, at least
             2hLen+1

   Output:
   EM        encoded message, an octet string of length emLen;
             "message too long" or "parameter string too long"

   Steps:

   1. If the length of P is greater than the input limitation for the
   hash function (2^61-1 octets for SHA-1) then output "parameter string
   too long" and stop.

   2. If ||M|| > emLen-2hLen-1 then output "message too long" and stop.

   3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero
   octets. The length of PS may be 0.

   4. Let pHash = Hash(P), an octet string of length hLen.

   5. Concatenate pHash, PS, the message M, and other padding to form a
   data block DB as: DB = pHash || PS || 01 || M

   6. Generate a random octet string seed of length hLen.

   7. Let dbMask = MGF(seed, emLen-hLen).

   8. Let maskedDB = DB \xor dbMask.

   9. Let seedMask = MGF(maskedDB, hLen).

   10. Let maskedSeed = seed \xor seedMask.

   11. Let EM = maskedSeed || maskedDB.

   12. Output EM.

9.1.1.2 Decoding operation EME-OAEP-DECODE (EM, P)

   Options:
   Hash      hash function (hLen denotes the length in octet of the hash
             function output)

   MGF       mask generation function



Kaliski & Staddon            Informational                     [Page 23]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   Input:

   EM        encoded message, an octet string of length at least 2hLen+1
   P         encoding parameters, an octet string

   Output:
   M         recovered message, an octet string of length at most
             ||EM||-1-2hLen; or "decoding error"

   Steps:

   1. If the length of P is greater than the input limitation for the
   hash function (2^61-1 octets for SHA-1) then output "parameter string
   too long" and stop.

   2. If ||EM|| < 2hLen+1, then output "decoding error" and stop.

   3. Let maskedSeed be the first hLen octets of EM and let maskedDB be
   the remaining ||EM|| - hLen octets.

   4. Let seedMask = MGF(maskedDB, hLen).

   5. Let seed = maskedSeed \xor seedMask.

   6. Let dbMask = MGF(seed, ||EM|| - hLen).

   7. Let DB = maskedDB \xor dbMask.

   8. Let pHash = Hash(P), an octet string of length hLen.

   9. Separate DB into an octet string pHash' consisting of the first
   hLen octets of DB, a (possibly empty) octet string PS consisting of
   consecutive zero octets following pHash', and a message M as:

   DB = pHash' || PS || 01 || M

   If there is no 01 octet to separate PS from M, output "decoding
   error" and stop.

   10. If pHash' does not equal pHash, output "decoding error" and stop.

   11. Output M.

9.1.2 EME-PKCS1-v1_5

   This encoding method is the same as in PKCS #1 v1.5, Section 8:
   Encryption Process.




Kaliski & Staddon            Informational                     [Page 24]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


9.1.2.1 Encoding operation

   EME-PKCS1-V1_5-ENCODE (M, emLen)

   Input:
   M         message to be encoded, an octet string of length at most
             emLen-10
   emLen     intended length in octets of the encoded message

   Output:
   EM        encoded message, an octet string of length emLen; or
             "message too long"

   Steps:

   1. If the length of the message M is greater than emLen - 10 octets,
   output "message too long" and stop.

   2. Generate an octet string PS of length emLen-||M||-2 consisting of
   pseudorandomly generated nonzero octets. The length of PS will be at
   least 8 octets.

   3. Concatenate PS, the message M, and other padding to form the
   encoded message EM as:

   EM = 02 || PS || 00 || M

   4. Output EM.

9.1.2.2 Decoding operation

   EME-PKCS1-V1_5-DECODE (EM)

   Input:
   EM      encoded message, an octet string of length at least 10

   Output:
   M       recovered message, an octet string of length at most
           ||EM||-10; or "decoding error"

   Steps:

   1. If the length of the encoded message EM is less than 10, output
   "decoding error" and stop.

   2. Separate the encoded message EM into an octet string PS consisting
   of nonzero octets and a message M as: EM = 02 || PS || 00 || M.




Kaliski & Staddon            Informational                     [Page 25]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   If the first octet of EM is not 02, or if there is no 00 octet to
   separate PS from M, output "decoding error" and stop.

   3. If the length of PS is less than 8 octets, output "decoding error"
   and stop.

   4. Output M.

9.2 Encoding methods for signatures with appendix

   An encoding method for signatures with appendix, for the purposes of
   this document, consists of an encoding operation. An encoding
   operation maps a message M to a message representative EM of a
   specified length. (In future versions of this document, encoding
   methods may be added that also include a decoding operation.)

   One encoding method for signatures with appendix is employed in the
   encryption schemes and is specified here: EMSA-PKCS1-v1_5.

9.2.1 EMSA-PKCS1-v1_5

   This encoding method only has an encoding operation.

   EMSA-PKCS1-v1_5-ENCODE (M, emLen)

   Option:
   Hash      hash function (hLen denotes the length in octet of the hash
             function output)

   Input:
   M         message to be encoded
   emLen     intended length in octets of the encoded message, at least
             ||T|| + 10, where T is the DER encoding of a certain value
             computed during the encoding operation

   Output:
   EM        encoded message, an octet string of length emLen; or "message
             too long" or "intended encoded message length too short"

   Steps:

   1. Apply the hash function to the message M to produce a hash value
   H:

   H = Hash(M).

   If the hash function outputs "message too long," then output "message
   too long".



Kaliski & Staddon            Informational                     [Page 26]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   2. Encode the algorithm ID for the hash function and the hash value
   into an ASN.1 value of type DigestInfo (see Section 11) with the
   Distinguished Encoding Rules (DER), where the type DigestInfo has the
   syntax

   DigestInfo::=SEQUENCE{
     digestAlgorithm  AlgorithmIdentifier,
     digest OCTET STRING }

   The first field identifies the hash function and the second contains
   the hash value. Let T be the DER encoding.

   3. If emLen is less than ||T|| + 10 then output "intended encoded
   message length too short".

   4. Generate an octet string PS consisting of emLen-||T||-2 octets
   with value FF (hexadecimal). The length of PS will be at least 8
   octets.

   5. Concatenate PS, the DER encoding T, and other padding to form the
   encoded message EM as: EM = 01 || PS || 00 || T

   6. Output EM.

10. Auxiliary Functions

   This section specifies the hash functions and the mask generation
   functions that are mentioned in the encoding methods (Section 9).

10.1 Hash Functions

   Hash functions are used in the operations contained in Sections 7, 8
   and 9. Hash functions are deterministic, meaning that the output is
   completely determined by the input. Hash functions take octet strings
   of variable length, and generate fixed length octet strings. The hash
   functions used in the operations contained in Sections 7, 8 and 9
   should be collision resistant. This means that it is infeasible to
   find two distinct inputs to the hash function that produce the same
   output. A collision resistant hash function also has the desirable
   property of being one-way; this means that given an output, it is
   infeasible to find an input whose hash is the specified output. The
   property of collision resistance is especially desirable for RSASSA-
   PKCS1-v1_5, as it makes it infeasible to forge signatures. In
   addition to the requirements, the hash function should yield a mask
   generation function  (Section 10.2) with pseudorandom output.






Kaliski & Staddon            Informational                     [Page 27]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998